Over the last few years, the general populous has encountered the proliferation of malicious software (sometimes referred to as “malware”) over the Internet. Malware has many forms including exploits, namely information that attempts to take advantage of a vulnerability in software that is loaded onto an electronic device in order to adversely influence or attack operations of that electronic device. Despite repeated efforts by detection systems and software patches to address software vulnerabilities, malware continues to evade and infect electronic devices worldwide.
In combatting the spread of malware, it is becoming paramount that vast amounts of information associated with network traffic, which is propagating to/from/within an enterprise network over a prolonged period of time, is persistently stored. This stored information offers immeasurable value for incident response testing so that security personnel can better understand when and how network breaches occurred, either from an external threat entity that infected a network resource with an exploit as describe above or from an internal threat entity being someone who understands the enterprise network and illicitly acquires sensitive data. However, given ever increasing data transmission speeds and the realization that, on average, network breaches are not detected until over 200 days from their original occurrence, it is becoming cost prohibitive for conventional security systems to maintain much of the needed information using conventional package storage solutions.
Currently, to gain reclaim physical storage, conventional packet storage solutions normally are configured to erase stored packets on a first-in, first-out (FIFO) basis. However, this FIFO scheme fails to address the fact that various packets, independent of time of detection, may be more valuable in subsequent incident response testing than later stored packets.